Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
HIPAA and Beyond: Effectively Safeguard EPHI
1. HIPAA and Beyond
How to Effectively Safeguard Electronic
Protected Health Information
Ben Rothke, CISSP PCI QSA
August 4th, 2008
2. HIPAA and Beyond: How to Effectively Safeguard Electronic Protected Health Information
Introduction HIPAA Privacy Rule and Security Rule. The
In the world of information security, well-defined Privacy Rule became effective in April 2003 and
security programs are the forests, and regulations establishes regulations for the use and disclo-
like HIPAA, SoX and PCI are the trees. And too sure of Protected Health Information (PHI). PHI
many healthcare organizations mistake the forest is broadly defined as any information about the
for the trees. health status, provision of health care, or pay-
ment for health care that can be linked to an in-
By way of analogy, one of the benefits of Social dividual. This is interpreted rather broadly and
Security is SSI or Supplemental Security Income. includes any part of a patient’s medical record or
The operative word is supplemental. Social Se- payment history1.
curity is meant to augment your retirement, not
be the main income source for your retirement. The HIPAA security rule was issued in February
HIPAA is much like SSI and meant to supplement 2003 and complements the Privacy Rule. While
your formal information security program. If you the Privacy Rule pertains to all PHI, including
view HIPAA as the end-all of your information paper- and electronic-based, the Security Rule
security and privacy program, you are in huge deals specifically with electronic PHI (EPHI) and
trouble. lays out three types of security safeguards re-
quired for compliance: administrative, physical
This white paper will detail how to go beyond and technical. For each, the Rule identifies vari-
HIPAA by showing how to use HIPAA as the ous security standards, and for each standard, it
starting point for your security program, and then names both required and addressable implemen-
using best practices and Lumension Security so- tation specifications.
lutions to improve your overall security posture.
Moving Beyond HIPAA
HIPAA – Showing its Age HIPAA was created by non-security personnel,
Imagine paying $1.25 for a gallon of gasoline. who likely could not differentiate between a fire-
One would have to go all the way back to 1996 to wall and fire extinguisher. The outcome is that
get that price. Going back to 1996 also takes us HIPAA lacks the depth and breadth on which to
to the year when Congress enacted the Health build an information security program. If you build
Insurance Portability and Accountability Act your security and privacy program with HIPAA
(HIPAA). solely as its foundation, it will fail as HIPAA takes
a myopic view of security and privacy with PHI
HIPAA was created for health insurance reform being the center of its universe. But there is much
and the streamlining of claims, and not about more to information security than PHI.
security and privacy. Title I of HIPAA protects
health insurance coverage for workers and their With that, covered entities2 (CE) must look be-
families when they change or lose their jobs. Ti- yond HIPAA and focus globally if they want more
tle II of HIPAA known as the Administrative Sim- than simply HIPAA compliance.
plification provisions, requires the establishment
of national standards for electronic health care While the intent of HIPAA was valorous, over a
transactions and national identifiers for providers, decade has passed since its initial inception and
health insurance plans, and employers. it has already begun to show its age. Organiza-
tions that mistakenly look to HIPAA for their secu-
Administration Simplification provisions also ad- rity infrastructure should stop being shortsighted
dress the security and privacy of patient health and look forward.
data. The HIPAA security and privacy rules are
meant to improve the efficiency and effective- While HIPAA is a static regulation, CE’s exist in a
ness of the nation’s health care system by en- dynamic IT world with new threats coming about
couraging the widespread use of electronic data daily. When HIPAA first came out, vulnerability
interchange in the US health care system. assessments, patching and configuration reme-
diation were only typically performed quarterly at
HIPAA Security and Privacy Rule best. Now with zero-day threats, lack of a de-
Within Administration Simplification exists the fined network perimeter and focus on information
3. HIPAA and Beyond: How to Effectively Safeguard Electronic Protected Health Information
protection, the need for real-time patching and Using frameworks such as ISO-17799 or ITIL
proactive endpoint and data protection is a basic helps CE’s by giving them a structure with which
requirement. to protect their IT assets. Also, when an organi-
zation decides to formally embrace a framework,
The following steps in this white paper will show it sends a strong message of its commitment to
you how to get that global view and how to move information security.
beyond HIPAA for any CE.
Within HIPAA, using a framework can be espe-
Step 1 - Using a Framework for Security cially valuable as it can show others the depth of
The healthcare industry doesn’t have a lack of your security program, and your overall commit-
information security products at its disposal. ment to their security and privacy. As security
Data centers are stocked full of racks of firewalls, is becoming a differentiating factor, the use of
VPN’s, security appliances and much more. a framework can differentiate your organization
While the underlying infrastructure is there, the from insecure ones.
challenges CE’s face is making these products
work together, to provide adequate security, and Step 2 – Risk Assessment
to support their HIPAA compliance effort. The foundation of any information security pro-
gram must be a formal and comprehensive risk
By employing a well-developed, organized and assessment. If you don’t know your risks, you
enforced set of security policies, and by under- have no idea of your security context, no idea of
standing where your exposures reside, you will who your adversaries are, and in essence, you
be better prepared for issues when they occur. are shooting in the security dark. CE’s that jump
Organizations that do not define and enforce se- into doing information security without a compre-
curity policies proactively are in for a rough time hensive and formal risk assessment end up do-
when disaster strikes. Simply put, if your security ing a lot of security stuff, but don’t have much to
infrastructure isn’t built on a solid foundation, it is show for it when all is said and done. To properly
bound to collapse under the weight of increased protect your network, you need to create a matrix
threats and vulnerabilities. By creating a security detailing the risks your organization faces, listing
foundation, CE’s can easily deal with any new the level of the threat against the likelihood of it
regulation. happening.
This is especially true given the compliance 80/20 Once the risk assessment is complete, don’t
rule. If you take all of the security and privacy make the mistake of attempting to quickly fix all
regulations and combine them, there is roughly of the problems by creating a huge to-do list and
an 80% commonality between them. The 80/20 then giving it to external consultants to complete.
rules shows that having a core framework in The only way to effectively manage risk on en-
place to deal with the 80% commonality means terprise networks is to approach the remediation
that at worst an enterprise will only have 20% of process in a formal strategic manner - create de-
the new regulation to deal with. tailed project plans under the control of an effec-
tive project manager.
That is where information security frameworks
come into the picture. An information security The beauty of a risk assessment is that it tells
framework contains the assumptions, concepts, you exactly what you need to worry about. If you
risk values, and security practices underlying an don’t take this approach, you end up defending
organization’s information security infrastructure. against murky hackers and vague threats from
Frameworks such as ISO 270013 and 270024 somewhere. A formalized risk assessment gives
and ITIL5 (IT Infrastructure Library) are needed you the knowledge to know who your enemy re-
because current healthcare security projects are ally is; Sun Tzu would be proud.
much more complex than those of years past.
Frameworks provide the formal approach to se- A risk assessment is the ultimate commitment to
curity, especially since too many CE’s take an ad HIPAA, as it shows that a CE isn’t simply trying to
hoc approach to security, which is an abomina- take a rubber stamp approach to HIPAA, rather
tion to every security professional. they are trying to get to the core of the security
and privacy issues. More importantly, it shows
4. HIPAA and Beyond: How to Effectively Safeguard Electronic Protected Health Information
that a CE is focusing on the real threats, rather configuration consistency within your organiza-
than on perceived external threats. tion. The benefits of Standard Operating Proce-
dures (SOP) are immense and include:
Step 3 – The 3 P’s • Standardize operations among divisions
(Policy, Processes, Procedures) and departments
CE’s need information security policies to ensure • Reduce confusion
a safe and sound infrastructure. Security policies • Designate responsibility
are often the first step in ensuring that corporate • Improve accountability of personnel
assets are not squandered by some nefarious • Record the performance of all tasks and
employees. Security policies are like fiber, that their results
is, the kind you eat. Everyone agrees that fiber • Reduce costs
is good for you, but no one really wants to eat it • Reduce liability
- so too with information security policies. They
are sorely needed, but most users don’t go out of There are many sources for SOP’s, some of
their way to comply with them. And in many CE’s, which include:
they are not even trained in what they have to do. • ISO 17799
But failure to have adequate information security • CoBIT
policies can lead to myriad risks for a CE. • NIST 800 series
• Standards for Security Categorization
The centrality of information security policies of Federal Information and Information
to virtually everything that happens in the infor- Systems (FIPS 199)
mation security field is increasingly evident. For • ITIL
example, system administrators cannot secure-
ly and effectively install a firewall unless they Step 4 – Training and Awareness
have received a set of clear information security Effective information security training and aware-
policies. These policies will stipulate the type of ness effort can’t be initiated without first writing
transmission services that should be permitted, information security policies which provide the
how to authenticate the identities of users, and essential content for training and awareness ma-
how to log security-relevant events. terials. Establishing clear expectations through
an information security awareness program is a
Similarly, an effective information security train- critical element of an effective and enforceable
ing and awareness effort cannot be initiated with- set of policies.
out first writing information security policies, be-
cause policies provide the essential content upon Awareness is specifically required in HIPAA sec-
which training and awareness material rely. It is tion § 164.308 Administrative safeguards, which
for these reasons that every major regulation or states in section (5)(i) Standard: Security aware-
standard relating to information security and/or ness and training. Implement a security aware-
data privacy specifically requires written security ness and training program for all members of its
policy documents. workforce (including management).
A comprehensive set of security policies are re- So important is awareness that The Standard of
quired to map abstract security concepts to the Good Practice for Information Security from the
real world implementation of your security solu- Information Security Forum (ISF) writes that spe-
tions as policy defines the aims and goals of the cific activities should be undertaken, such as a
CE. security awareness program, to promote security
awareness to all individuals who have access to
Security processes can help a CE optimize their the information and systems of the organization,
IT security infrastructure. The more complex an with the objective to ensure all relevant individu-
organization’s IT security infrastructure becomes, als apply security controls and prevent important
the more important it is to follow consistent and information used throughout the organization
formal security operational processes and poli- from being compromised or disclosed to unau-
cies. thorized individuals.
Effective procedures ensure a standard level of The ISF defines security awareness as the ex-
5. HIPAA and Beyond: How to Effectively Safeguard Electronic Protected Health Information
tent to which staff understand the importance of Moving Beyond HIPAA
information security, the level of security required Once you take care of the above fundamental
by the organization and their individual security steps, go full-steam into HIPAA compliance. It
responsibilities. is also important to do these steps before using
a solution. But once that is done, Lumension’s
One of the major problems with all information suite of proactive security solutions can help in
security policies revolves around management your HIPAA program to ensure that confidential
not knowing whether users have read and un- medical records, specifically patient health in-
derstood the policies. If users have not read the formation, remain secure.
policies, they may ignorantly do things that cause
security problems, for example, opening a file Endpoints, especially ones that move on and
sent as an email attachment without scanning the off the network, are extremely vulnerable to
file with a virus detection package. If users have data threats as their configurations drift over
read the policies, but not sufficiently understood time and not kept up-to-date with the latest
them, they may do things that cause security anti-virus and operating system and application
problems. patches. Add to this unmanaged removable
media (podslurpers) and insecure applications,
The true test of understanding would be obser- which together can easily open the floodgates
vation in real-world working environments, but for data to escape into the wrong hands, wheth-
that is too expensive for many CE’s. As the next er intentionally or accidentally.
best thing, users can be tested to determine that
they understood the policy, and if they pass a The fact that so many endpoints are infested
quiz, then access privileges may be granted. For with spyware, keyloggers and other types of
example, a worker who wanted to telecommute malware, which so easily compromise the in-
could read the telecommuting security policy, tegrity and confidentiality of patient information,
take a quiz, and get a passing score, at which should give any CIO pause.
point management would authorize the user to
gain access to the organization’s internal network Lumension Security’s Proactive Security Suite
over the Internet using a virtual private network. ensures ePHI privacy by providing the neces-
In sophisticated organizations, such privileges sary controls to manage the data flowing to and
may be enabled automatically based on a quiz from network endpoints and by rapidly secur-
delivered through an intranet computer-based ing endpoint configurations and patching and
training system or software. remediating software vulnerabilities that could
leave IT assets and sensitive data exposed.
Some of these solutions include:
Solution Benefits
Lumension Security • Complete network-based scanning solution enables assessment and
Vulnerability Management analysis of threats impacting all network devices.
• Proactive management of threats through automated collection, analysis,
and delivery of patches (all major operating systems and applications) across
heterogeneous networks.
• Out-of-the-box regulatory and standards-based assessment to ensure
endpoints are properly configured.
• Custom remediation capabilities to address configuration issues, remove
unauthorized files and applications, address zero-day threats, patch custom
software and more.
Lumension Security Policy-based enforcement of application use to secure your endpoints from
Endpoint Protection malware, spyware and unwanted or unlicensed software.
Lumension Security Policy-based enforcement of removable device use to control the flow of
Data Protection inbound and outbound data from your endpoints.
Lumension Security Robust data warehouse that enables easy creation and sharing of reports on
Reporting and Compliance all aspects of your security efforts in support of policy compliance.
6. HIPAA and Beyond: How to Effectively Safeguard Electronic Protected Health Information
The following table lists just some of the many benefits in which Lumension Security’s Proactive Security
Suite helps CE’s:
Main Benefit Other Benefits
Comply with HIPAA • Reduce the risk of ePHI from being improperly disclosed
requirements for safeguarding • Prove compliance with HIPAA by providing a detailed audit trail of all
the integrity and availability of device and application execution attempts, by tracking data that is copied
ePHI to and from removable devices and by controlling what data is allowed to
be copied to a device at the file level
• Patch and remediate vulnerabilities before they can be exploited to
access ePHI
• Control and monitor the flow of inbound and outbound ePHI with
removable media and devices
• Identify organizational security holes in the protection of ePHI through
comprehensive auditing capabilities
Prevent malware execution • Protect against network security breaches where ePHI could be exposed
originating at an endpoint to fraud
• Enable the transmission, integrity, confidentiality and retention of ePHI
without disruption, corruption or loss
Improve IT system performance • Prevent unwanted applications and devices from burdening network
bandwidth
• Enable faster computing resources on network, laptops and PCs
• Maintain PCs’ performance as new with configurations remaining stable
Reduce endpoint security TCO • Minimize security or HIPAA compliance crisis response
• Remediate vulnerabilities more quickly and with fewer required
resources
Improve end user productivity • Block unwanted, non-business applications
• Enforce policy to ensure endpoints run as expected
Conclusion
Security and the protection of PHI is more than just firewalls and encryption. By having this broad ap-
proach, and rising above the minimal protection that HIPAA offers, CE’s can ensure that they are HIPAA
compliant not only with the letter of the law, but more importantly, the spirit of the law.
7. HIPAA and Beyond: How to Effectively Safeguard Electronic Protected Health Information
About the Author
Ben Rothke CISSP, PCI QSA (ben@rothke.com) is a New York based Security Consultant and the author
of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill, 2006).
About Lumension Security™
Lumension Security™, formed by the combination of PatchLink® Corporation and SecureWave® S.A., is
a recognized, global security management company, providing unified protection and control of enterprise
endpoints for more than 5,100 customers and 14 million nodes worldwide. Leveraging its proven Proactive
Security Model, Lumension Security enables organizations to effectively manage risk at the endpoint by
delivering best-of-breed, policy-based solutions that simplify the entire security management lifecycle. This
includes Vulnerability Management, Endpoint Protection, Data Protection and Reporting Compliance.
Headquartered in Scottsdale, Arizona, Lumension has offices worldwide, including Virginia, Florida, Lux-
embourg, the United Kingdom, Spain, Australia, Hong Kong and Singapore.
Lumension Security™, Inc.
15580 N. Greenway-Hayden Loop, Suite 100
Scottsdale, AZ 85260
www.lumension.com
Footnotes:
1. This is due in part since it is relatively easy to correlate unrelated data.
2. Any organization that routinely handles protected health information in any capacity is in all probability a covered entity.
3. ISO/IEC 27001 is the formal standard against which organizations may seek independent certification of their Information
Security Management Systems (meaning their frameworks to design, implement, manage, maintain and enforce information
security processes and controls systematically and consistently throughout the organizations).
4. ISO/IEC 27002 provides best practice recommendations on information security management for use by those who are re-
sponsible for initiating, implementing or maintaining Information Security Management Systems (ISMS).
5. ITIL is a customizable framework of best practices designed to promote quality computing services in the information technol-
ogy sector.